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Abstract 

Quantum key distribution allows two parties, traditionally known 
as Alice and Bob, to establish a secure random cryptographic key if, 
firstly, they have access to a quantum communication channel, and 
secondly, they can exchange classical public messages which can be 
monitored but not altered by an eavesdropper, Eve. Quantum key dis- 
tribution provides perfect security because, unlike its classical coun- 
terpart, it relies on the laws of physics rather than on ensuring that 
successful eavesdropping would require excessive computational effort. 
However, security proofs of quantum key distribution are not trivial 
and are usually restricted in their applicability to specific protocols. 
In contrast, we present a general and conceptually simple proof which 
can be applied to a number of different protocols. It relies on the fact 
that a cryptographic procedure called privacy amplification is equally 
secure when an adversary's memory for data storage is quantum rather 
than classical 0. 

1 Introduction 



The potential power of quantum phenomena to protect information was first 
adumbrated by Wiesner who, in the early 1970's, introduced the concept of 
quantum conjugate coding |2]. He showed how to store or transmit two 
messages by encoding them in two conjugate observables, such as linear and 
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circular polarization of light, so that either but not both of may be received 
and decoded. He illustrated his idea with a design of unforgeable bank 
notes. Building upon this work, Bennett and Brassard proposed a quantum 
key distribution scheme, known as BB84 or the four state protocol, in which 
Alice repeatedly sends to Bob one of four prescribed states of a qubit, and 
Bob measures them in one of two conjugate bases Independently and 
initially unaware of the earlier work, Ekert developed a different approach 
to quantum cryptography based on quantum entanglement. He proposed a 
key distribution protocol, known as E91, in which entangled pairs of qubits 
are distributed to Alice and Bob, who then extract key bits by measuring 
their qubits in prescribed bases A particularly nice feature of E91, for 
the purpose of security analysis, is that Eve herself is allowed to prepare 
and deliver all the qubit pairs that Alice and Bob will subsequently use to 
generate the key. 

Many variations on quantum key distribution have been subsequently 
proposed and we will mention some of them later on. They can be roughly 
divided into "prepare and measure" protocols, such as BB84 and B92 jSj, and 
"entanglement based" protocols, such as E91. Many interesting techniques 
for manipulating quantum entanglement have been discovered in the last 
few years. Thus it is often convenient to cast some of the "prepare and 
measure" protocols in terms of the "entanglement based" ones. 

1.1 Security Proofs 

All good quantum key distribution protocols must be operable in the pres- 
ence of noise that may or may not result from eavesdropping. The proto- 
cols must specify for which values of measurable parameters Alice and Bob 
can establish a secret key and provide a physically implementable proce- 
dure which generates such a key. The design of the procedure must take 
into account that an eavesdropper may have access to unlimited quantum 
computing power. On Alice and Bob's side, the procedure should rely on 
simple and easily implementable operations. For example, good protocols 
should not assume that Alice and Bob have quantum computers, or any 
sophisticated quantum technology, apart from the ability to transmit over a 
quantum channel. 

The search for operational security criteria led to early studies of quan- 
tum eavesdropping |S1 [7j and finally to the first proof of the security of key 
distribution |S]. The original proof showed that the E91 and all entangle- 
ment based key distributions are indeed secure and noise-tolerant against 
an adversary with unlimited computing power as long as Alice and Bob can 
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implement quantum privacy amplification. Quantum privacy amplification 
allows one to establish a secure key over any distance, e.g. using entan- 
glement swapping [9' in a chain of quantum repeaters |1U1 lllj . However, 
this procedure, which distills pure entangled states from corrupted mixed 
states of two qubits, requires a small scale quantum computation. Subse- 
quent proofs by Inamori ^21 and Ben-Or showed that Alice and Bob can 
also distill a secret key from partially entangled particles using only classical 
error correction and classical privacy amplification jl4l I15j . 

Quantum privacy amplification was also used by Lo and Chau to prove 
the security of the BB84 protocol over an arbitrary distance |T^. A con- 
current and independent proof by Mayers showed that the protocol can 
be secure without Alice and Bob having to rely on the use of quantum 
computers The same conclusion, but using different techniques, was 

subsequently reached by Biham et al. 18 . Although the two proofs did not 
require quantum privacy amplification they were rather complex. A nice 
fusion of quantum privacy amplification and error correction was proposed 
by Shor and Preskill who formulated a relatively simple proof of the security 
of the BB84 protocol based on virtual quantum error correction ^HI- They 
showed that a protocol which employs quantum error-correcting codes to 
prevent Eve from becoming entangled with qubits that are used to generate 
the key reduces to the BB84 augmented by classical error correction and 
classical privacy amplification. This proof has been further extended by 
Gottesman and Lo j2Uj to cover the case of two-way public communication 
in BB84 which allows a higher bit error rate, and by Tamaki et al. |21j to 
prove the security of the B92 protocol. More recently another simple proof of 
the security of BB84, which employs results from quantum communication 
complexity, has been provided by Ben-Or [13!. 

1.2 Do we need another Security Proof? 

Most popular quantum key distribution schemes have been analyzed in terms 
of their security criteria and there is a pretty good understanding of the 
limitations of the techniques involved e.g. those due to imperfect sources 
or detectors. The schemes vary but every single one of them must involve 
either quantum or classical privacy amplification as an inherent part of the 
secure key distillation protocol. 

Classical privacy amplification, originally proposed by Bennett, Bras- 
sard and Robert, was restricted to the case in which Eve acquires classical, 
deterministic information about the raw key [T^. The applicability of the 
method was then extended by Bennett, Brassard, Crepeau and Maurer to 
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cover scenarios where Eve's information is classical and probabilistic |15j . 
We use the recent result by Konig, Maurer and Renner on the power of 
quantum memory T| in a quantum cryptographic context. It can be viewed 
as a further generahzation of classical privacy amplification to cases in which 
Eve's information about the key is quantum. Of course, the privacy ampli- 
fication is useless unless we can derive an upper bound on the amount of 
quantum information available to Eve. We show how to do this for com- 
mon quantum key distribution protocols. Taken together these results give 
a very general and powerful technique for assessing security of a wide class 
of quantum key distribution protocols. 

1.3 Scenario 

In our scenario Eve has a technological advantage over Alice and Bob. She 
can distribute qubits to Alice and Bob, she can entangle the qubits with an 
ancilla that she controls, she can have access to unlimited quantum compu- 
tational power, and she can monitor all the public communication between 
Alice and Bob in which they reveal their measurement choices and exchange 
further information in order to correct errors in their shared key and to am- 
plify its privacy. In contrast Alice and Bob can only perform measurements 
on individual qubits and communicate classically over a public channel. We 
will assess the security in the case of a noisy quantum channel without losses. 

Alice and Bob go through prescribed stages of quantum key distribution 
and at some point they end up with perfectly correlated binary strings about 
which Eve has some information, namely all information communicated in 
public together with all information contained in her ancilla. The ancilla 
is a quantum entity which Eve may measure at the very end of the key 
distribution protocol. Hence its information content has to be expressed 
in qubits rather than bits. Classical privacy amplification allows Alice and 
Bob to increase the privacy of the shared string as long as they can estimate 
the amount of classical information that leaked to Eve fl]. For any shared 
string of n bits upon which Eve has some r bits of information the procedure 
outputs a binary string of length s shorter than n — r and such that Eve has 
virtually no information about the new string. The snag is that Eve, who 
can delay her measurement of the ancilla, has r qubits rather than r bits of 
information about the ra-bit string. However, in this particular context, it 
does not matter, as shown in X- We show how Alice and Bob are able to 
estimate the quantum information content of r qubits in Eve's ancilla in a 
generic quantum key distribution protocol. 
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2 Outline of the Main Result 



It is convenient for the purpose of this outhne to start with a generic scenario 
in which Eve distributes quantum particles to Ahce and Bob. Without any 
loss of generality we assume that Eve starts with a tripartite pure state de- 
scribing a batch of particles delivered to Alice, a batch of particles delivered 
to Bob, and an ancilla which is retained by Eve. 

When Alice and Bob receive their respective particles they perform mea- 
surements following a quantum key distribution protocol, which they agreed 
to in advance. For example, they may measure every single particle choos- 
ing randomly from a prescribed set of different measurements. They also 
communicate in public and agree which outcomes of the measurements are 
to be discarded and which will be used for the key generation. 

At this point Alice and Bob have partially correlated n bit strings la- 
beled, respectively, as X and Y . Eve knows the protocol and holds an 
ancilla which was entangled with the qubits prior to Alice's and Bob's mea- 
surements. After the measurements the ancilla is in a quantum state which, 
in general, depends on X and Y and is described by some density operator 
. The initial public communication must allow Alice and Bob to esti- 
mate the degree of the correlation between X and Y and to derive an upper 
bound on the quantum information content of the ancilla in state . This 
is not trivial as we do not assume that the pairs of qubits are independent 
and identically distributed (i.i.d); they can be entangled between themselves 
and the ancilla in an arbitrary way. 

We solve the problem in its full generality. However, in this section we 
present a rough outline based on the i.i.d case. This, we hope, will serve as 
a gentle introduction to the more technical sections that follow. 

Let Alice and Bob be given n realizations of i.i.d random variables X 
and Y respectively. Let the degree of correlations be quantified by the 
mutual information I{X] Y) and let the quantum information content of 
the ancilla be no more than r qubits. The strings of Alice and Bob can 
be made identical with high probability by a procedure called information 
reconciliation. Alice has to communicate in public approximately nH{X\Y) 
(the conditional entropy of X given Y) bits about her string so that Bob, 
who holds n realizations of Y , can guess Alice's string correctly. 

Thus, after the information reconciliation. Eve's information about Al- 
ice's string consists of nH{X\Y) classical bits and r qubits. Without any 
loss of generality we can assume that Eve's information is contained in 
nH{X\Y) + r qubits. Eve can wait and perform her measurement on the 
ancilla whenever she sees fit. However, no matter which observable she mea- 
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sures after the classical privacy amplification she is not better off than she 
would be if she had nH{X\Y) + r classical bits of information about X prior 
to the privacy amplification. This follows from the recent work by Konig, 
Maurer, and Renner on the power of quantum memory [J. We will elaborate 
on this in more detail in section|Sland section|3 Thus the length of the secret 
key after the privacy amplification is nH{X) — nH{X\Y) — r = nI{X; Y) — r, 
i.e. the key can be established when nI(X;Y) > r. 

In the main part of the paper we will show how the estimation of r works 
in general. In order to illustrate the idea behind this estimation, let us 
consider the particular case of independent and identically distributed pairs 
of quantum states. Each pair that Eve delivers to Alice and Bob comes 
from a tripartite pure state |\I') such that p = tr£;|^')(^| is the density 
operator of each pair of quantum states and = tTAB\'^){^\ is the density 
operator of a part of the ancilla. The state of the ancilla in an n-fold tensor 
product of the form p^ = p'^ ® ■ ■ ■ ® p^ . In this particular case we can use 
the quantum coding results |22l I23j to estimate r in the limit of large n; 
r = nS{p^) = nS{p) qubits, where S{p) is the von Neumann entropy of p; 
S{p) = -tr(plogp). 

In the qubit case, the mutual information can be written as I{X; Y) = 
n(l — /i(e)), where h{e) = — eloge — (1 — e) log(l — e) is the binary entropy 
function and e is the average bit error rate. The threshold error rate can be 
then established from the condition 

l-h{e)>S{p). (1) 

A key distribution protocol should allow Alice and Bob to estimate the 
purity of the pairs of quantum states in terms of the von Neumann entropy 
S{p). If not they need to maximize S{p) over all possible density operators 
p which are consistent with the estimated bit error rate e. 

Moreover the key rate R is 

R = H(X) - H(X\Y) - max S(p) , (2) 

pen 

(see section H. 4. 3|> 

The argument above relies on the extension of the applicability of classi- 
cal privacy amplification to the cases where Eve has partial quantum rather 
than partial classical information about the key. This follows from a more 
general observation that encoding classical information into qubits rather 
than bits, although never worse, does not offer any significant advantage in 
some scenarios; ours being one of them. Amazingly enough potential ad- 
vantages of quantum encoding were already pointed out by Wiesner in his 
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seminal paper on conjugate coding [^. Subsequently Ambainis, Nayak, Ta- 
Shma and Vazirani j^H considered a scenario where one has to use partial 
information about a binary string X to answer a random binary question 
about X. One might think that storing partial information about X in a 
quantum rather than classical memory has a natural advantage because one 
can delay a measurement on the quantum memory until after the question 
has been asked. This gives an extra freedom of choosing the most appro- 
priate measurement. However, Ambainis et al. and Nayak |25j showed 
that if information about an n-bit string X is stored in r qubits and one 
is asked about a particular bit of X then in order to err with probability 
less than e one needs r > n (1 — h{e)). Thus, asymptotically, in this par- 
ticular case, quantum storage does not offer any advantage. Konig, Maurer 
and Renner [J show that there is no advantage even if one is asked more 
general, non-binary, questions about X. This made it possible to make the 
connection to privacy amplification. 

In the following we provide a detailed and reasonably self-contained de- 
scription of the new security proof. In section |31 we introduce the relevant 
concepts and methods of probability theory and quantum mechanics. The 
main results are presented in section |2 This is followed by applications 
of our security criteria to selected quantum key distribution protocols (sec- 
tion Ej). 

3 Preliminaries 
3.1 Notation 

Let a be a subset of a set X. The characteristic function Xa of a on X is the 
function from X to {0, 1} defined by x(^) = 1 if and only if i S a. 

Let z = (zi, . . . , Zn) be an n-tuple and a C {1, . . . , n} a set of indices. 
Then denotes the |a|-tuple containing all with i £ a. For two n-tuples 
z = (zi, . . . , Zn) and z' = {z[, . . . , z!^) of real values, z is said to be majorized 
by z', denoted z -< z' , if for any k G {1, . . . ,n} 

where and are the sets containing the indices of the k largest elements 
of z and z', respectively. A real valued function / on the set of real n-tuples 
is said to be Schur-convex if 

z ^ z' ^ /(z) < /(z') 
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for any z and z'. 

For a function f on Z, we denote by f™^^ and J™™ the functions on the 
power set of Z defined by 

r-(W)=max/(z) and /--(W) = min /(z) , 
zeW zeW 

for any W Z. 

Let (5:^x2^ be a metric on a set Z. The e-environment of an 
element z €z Z is defined by 

B'{z) := {z' eZ: 6{z,z') < e} . 

Similarly, the e-environment of a subset W Z is the union of all e- 
environments of elements of W, i.e., 

B^W) := \J B'{z) . 

3.2 Elements of Classical Probability and Information The- 
ory 

The goal of this subsection is to introduce some concepts of probability and 
information theory that we will use for the proofs of our main results. For 
a more complete overview, we refer to the standard literature (e.g., |26|). 

In the following, we use capital letters {Z) for random variables, calli- 
graphic letters {Z) for their range, and small letters (z) for the elements 
of their range. The probability distribution of a random variable Z is de- 
noted by Pz- The expectation over Z of a function / of ^ is given by 
Ez[f{Z)] ■= J2zez ^z{z)f{z). A random variable or probability distribu- 
tion is called binary if it has range Z = {0, 1}. We write Pp™ for the binary 
probability distribution with = p. 

An n-tuple {Zi, . . . , Zn) of random variables with the same range Z is 
called exchangeable if, for all permutations vr on {1, . . . ,n}. 

It is easy to see that, for any n-tuple {Zi, . . . , Zn) of random variables with 
range Z, the n-tuple 

{Z[,. . . , Z'n) := (Zn(i), . . . , ZiK^n)) 

obtained by permuting the indices according to a random permutation 11 on 
{1, . . . , n} is exchangeable. 
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The variational distance between two probability distributions P and Q 
over the same range Z is defined by 



6iP,Q) :=-Y^\P(z)-Q{z)\ . 

The variational distance 5 is a metric on the set of probability distributions 
with range Z. In particular, S{P,Q) = if and only if P = Q, it is sym- 
metric, and it satisfies the triangle inequality. For random variables Z and 
Z' , we also write 5{Z,Z') instead of 5{Pz , Pz')- The variational distance 
between two probability distributions P and Q can be interpreted as the 
probability that two random experiments described by P and Q, respec- 
tively, are different. This is formalized by the following lemma. 

Lemma 3.1. Let P and Q be two probability distributions. Then there exists 
a pair of random variables Z and Z' with joint probability distribution Pzz' 
such that Pz = P, Pz' = Q, o-'^d 

Prob[Z / Z'] = 6{P, Q) . 

It is easy to see that the variational distance between Z and Z' can not 
increase when applying the same function / on both Z and Z' , i.e., 

6{Z,Z')>6{fiZ),f{Z')) . (3) 

Let [Z, W] and [Z' , W'] be two pairs of random variables, and let Pz\wi'^ ^) •= 
Pz\w=w and Pz'lW'i'^''^) •= Pz'\W'=w be the probability distribution of Z 
and Z' conditioned on W = w and W = w, respectively. Using the triangle 
inequality, it can be shown that 

\S{Pzw,Pz',w') - Ew[S(.Pz\w(.;W),Pz>\w'{;W))]\ < 6{Pw,Pw') ■ (4) 
Combining this with Q for the function f : {z,w) w leads to 

Ew[6{Pz\w{;W),Pz>\w'{;W))] < 26{Pzw,Pz'W') , (5) 
and, similarly, for / : {z,w) z, 

S{Pz,Pz') < Ew[S{Pz\w{;W),Pz>\w'{;W))] + 5{Pw,Pw') ■ (6) 
Let P be a probability distribution over Z. The non-uniformity of P, 

d{P) := 5{P, U) , 

9 



is defined as the variational distance of P from the uniform distribution U 
over Z. For a random variable Z with probability distribution Pz, we also 
write d{Z) instead of d{Pz)- Similarly, for two random variables Z and W ^ 
the expected non-uniformity of Z given W is defined by 

d{Z\W) ■.= E[d{Pz\w{:W))] . 

Definition 3.2. Let z := (zi, . . . , z„) be an n-tuple of elements from a set 
Z. The frequency distribution Qz of z is the real valued function on Z 
defined by 



for z £ Z. 

It is easy to see that the frequency Qz is a probability distribution on Z, 
i.e., Qz.{z) £ [0,1] and J2zezQ^i^) = 1- 

Definition 3.3. The probability range of an n-tuple Z = (Zi, . . . , Zn) of 
random variables with range Z is the smallest convex set V of probability 
distributions on Z such that 

^Zfc|Zi=zi,...,Zfc_i=2fe_i e V 

for all A; G {1, . . . ,n} and zi, . . . , Zn-i G ^• 

The following result of [23| states that the frequency distribution of a 
sequence of random variables is with high probability contained in an e- 
environment of its probability range. 

Lemma 3.4. Let Z = (Zi, . . . , Z„) be an n-tuple of random variables with 
alphabet Z of size \Z\ = q and letV be the probability range ofZ. Then, for 
any e > 0, 

Prob[Qz G B'{V)] > 1 - 2''e-""'/2 _ 

We will make use of different entropy measures to characterize random 
variables or, more precisely, their probability distributions. Let P be a prob- 
ability distribution with range Z, support Z~^ := {z £ Z : P{z) > 0}, and 
maximum probability Pmax{P) '■= max^g^ P(2;). Then, the Renyi entropy 
of order a, for a G U {oo},"^ is defined by^ 

z^Z 

^For a £ {0, 1, cxd}, Ha{P) is defined by the limit value lim^^„ Hi3{P). 
^AU logarithms in this paper are binary. 



10 



It turns out that, for a = 1, Hi{P) corresponds to the Shannon entropy 
H{P) = — J2zez+ ^(^) log(^(-2))- Moreover, for q = cxd, we have Hoo{P) = 
— fog(pniax)> which is also called min- entropy, and, for a = 0, Hq{P) = 
log(|-Z+|). For a random variable Z with probability distribution Pz, we 
also write H{Z) instead of H{Pz), and, more generally, for an event £, 
H{Z\8) instead oi H{Pz\e)- 

The Renyi entropy of order a of a random variable Z conditioned on 
another random variable W is given by 



and 



H J Z\W) := min H J Z\W = w) (for a > 1) 



HJZ\W) ■.= ina.^HJZ\W = w) (for a < 1) 



We will often be interested in the entropy of a probability distribution 
which is close to a given distribution P. This is formalized by the notion of 
smooth Renyi entropy introduced in j28j . 

Definition 3.5. Let e > and a G 7^^U{cxd}. The e-smooth Renyi entropy 
or order a of a probability distribution P is defined by 

F^(P) := Hr^'iB^iP)) (for a > 1) 

and 

H'^{P) := H^'^iB^P)) (for a < 1) . 

Similarly, the notion of conditional Renyi entropy can be generalized to 
smooth Renyi entropy. In particular, for a = oo, we have 

H'o.{Z\W) := max H^{Z'\W') . 

The following lemma is an immediate consequence of the above definition 
for a = 0. 

Lemma 3.6. Let Z he a random variable with range Z and let W he a 
suhset of Z. Then, for any e > 0, 

Prob[Z G W] > 1 - e =^ H^{Pz) < log \W\ . 

For Q = 0, the (smooth) Renyi entropy is sub-additive. 

Lemma 3.7. Let Z and W he two random variables. Then, for any e, e' > 0, 

H'+''{ZW) < Hl{Z)+H'^{W) . 
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The min-entropy of a random variable Z when conditioning on another 
random variable W cannot decrease more than the Renyi entropy of order 
zero of W . 

Lemma 3.8. Let Z and W be random variables. Then, for any £,e',e" G 



+^ {Z\W) > HUZW) - HI [W] - log(-) . 

Lemma 3.9. Let Z be an exchangeable n-tuple of random variables with 
range Z. Then 

HooiZ\Qz = Q)> nH{Q) - |Z|(log(n) + 1) . 

Proof. By the definition of exchangeability, Pz\Q'z,=Q the uniform distri- 
bution over the set of all n-tuples z with Qx = Q- It is easy to see that there 
are 

^! 



such tuples, i.e., we have iJoo(Z|Qz = Q) = - logpmax(-fz|Qz=Q) = log(^Q)- 
The assertion then follows from a straightforward calculation using Stirling's 
approximation 

for any m G N. □ 

The notion of typical sets is widely used in information theory. Note 
that the following definition slightly differs from the one given in j26j . 

Definition 3.10. Let Z he a set, n G N, and r > 0. The r-typical set over 
Z^ is defined as 

TSir) := {z G : H{Q,) < r} . 
Lemma 3.11. For any set Z of size \Z\ = q, n,£ N, and r > 0, 

\TE{r)\ < 2"^n^-^ . 

Proof. Let Q := {Q^ '■ z G Z^} be the set of frequency distributions of 
n-tuples over Z and, for any Q £ Q, let S{Q) := {z G Z"- : Qz = Q} be 
the set of n-tuples z = (zi, . . . , Zn) with frequency distribution Q. We first 
show that, for any Q £ Q, 

\S{Q)\ < 2"^('3) . (7) 
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Let Z = {Zi, . . . , Zn) be an n-tuple of independent random variables Zi 
distributed according to Q. Since, for any n-tuple z in S{Q), each symbol z 
occurs nQ{z) times in z, we find 

1 > Prob[Z G S{Q)] = \S{Q)\ W Q(z)"'3W = |5(g)|2S.e^nQ{^)iog(Q{^)) 

which implies ((T)). The assertion of the lemma then follows from 

\T^{r)\= ^ \S{Q)\< 2"^(^) < |Q|2"'^ 

Q(^Q:H{Q)<r Q(^Q:H{Q)<r 

and the observation that |Q| < n'^^'^. □ 

Definition 3.12. Let p £ [0, 1] and let T be a set. A p-random selection A 
on T is a random variable describing the subset obtained by independently 
picking each element of I with probability p, i.e., for any a (11, 

where Xa be the characteristic function of a on T. 

A random function G from A' to 3^ is called two-universal if Prob[G(a;) = 
G'(x')] < holds for any distinct x, x' G X. In particular, G is two- 
universal if, for any distinct x, x' G X, the random variables G{x) and 
G{x') are independent and uniformly distributed. For instance, the uniform 
random function from a set A' to a set y is two-universal.^ 

3.3 Elements of Quantum Theory 

In this section, we introduce some basic concepts of quantum theory which 
we will use. For a more complete overview we refer to the standard literature 

(e.g., m)- 

Let W be a Hilbert space of dimension d. We denote by S{7i) the set 
of density operators on Ti, i.e., Siji) is the set of positive operators p onTi 
with tr(/9) = 1. For any p £ S{Ti.), let X{p) be the d-tuple of eigenvalues of p 

^In the literature, two-universality is usually defined for families Q of functions: A 
family Q is called two-universal if the random function G with uniform distribution over 
Q is two-universal. Non-trivial examples of two-universal families Q of functions can, e.g., 
be found in 29 and I30| . 
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(e.g., in decreasing order). The trace distance between two density operators 
p and a on the same Hilbert space 7i is defined by 

6{p,a) := ^ti{\p-a\) . 

We will use several well-known properties of the trace distance (for proofs, 
see e.g. [SI])- 

The trace distance can be seen as a generalization of the variational 
distance to density operators. Many of the properties of the variational dis- 
tance thus also hold for the trace distance. In particular, the trace distance 
is a metric on SiTi). 

Moreover, for two probability distributions P and Q over W and two 
families of density operators {pw}wew and {(Jw}wew, 

6{ P{w)Pu,. Yl < Yl ^(^) ^iP^n,c^w) + S{P, Q) . (8) 

This inequality can be seen as the quantum analogue of The trace 
distance between two pure states p = and a = \'(p){ip\ can easily be 

computed explicitly, 

5(p,a) = Vl-K0|^)|2 = Vl-tr(pa) . (9) 

Let .7-" be a positive operator valued measure (POVM) on a Hilbert space 
7Y, i.e., = {Fz}z£Z is a family of positive operators on TC such that 
^^g^ Fz = id. We say that J-' is orthogonal if there exists an orthonormal 
basis {\z)}z(zz of Ti such that Fz = \z){z\, for any z £ Z. 

Definition 3.13. Let = {Fz}zez be a POVM on a Hilbert space TC. 
The measurement mapping of is the function mapping each density 
operator p G S{7i) to the probability distribution P = ^y^{p) on Z defined 
by P{z) := tr{Fzp). The probability range Vj^ of is the range of 7jr, i.e., 

For a POVM = {Fz}z&z on a Hilbert space Ti and a probability 
distribution P on Z, we write -y^^{P) to denote the set of density operators 
p on 7i such that ^j^{p) = P- More generally, for a set V of probability 
distributions, j^^{V) := Upe-p 7^^(^) is the set of density operators p with 

The trace distance between two density operators p and a turns out 
to be an upper bound for the variational distance between the probability 
distributions of the outcomes of the same measurement J- applied to p and 
a. 
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Lemma 3.14. Let T he a POVM on a Hilbert space 7i and let p,cr G S{7i). 
Then 

^{iAp)^iA'^)) < • 

The probability distribution resulting from an orthogonal measurement 
of a quantum state p is in a certain sense less ordered than the eigenvalues 
of p. This is formalized by the following lemma. A proof can, for instance, 
be found in (see also 33 ). 

Lemma 3.15 (Schur's majorization theorem). Let T = \F\, . . . 

he an orthogonal measurement on a d- dimensional Hilhert space. Then, for 

any density operator p £ SiTL), 

P -< Kp) 

where p = (7jf(p)(1), . . . , 7jF(/>)(d)) are the prohahilities of the outcomes 
when measuring p with respect to T . 

Let W be a bipartite Hilbert space, let p G SiTi^TL')., and let Z be 
the outcome of a measurement of p with respect to a POVM = {F^j^g^ on 
(a subspace of) 7i' . The density operator on Ti resulting from conditioning 
p on the measurement outcome Z = z, denoted /O^jp, is given by 

p^^jr := ■^tr7^/(id7^ p) 

where c := tr(id-^(8'-F;2 p) is a normalization constant and where tr-^/ denotes 
the partial trace over the subspace TL' . 

Let "H®" := TLi • • • Tin be the product of n identical factor spaces 
Tii = 7i. The following definition can be seen as a quantum version of 
Definition 13.31 

Definition 3.16. The density range of a density operator p G T^®*^ ig the 
smallest convex subset V of S{7i) such that for any k € {1, . . . ,n}, for any 
POVM J^^-i = on n''-^ := ^iZiHi, and for any z e Z, the 

density operator p^^j^k-i is contained in V. 

Let f be a quantum operation if^ on a Hilbert space 7i, i.e., £ = {Ez}z£Z 
is a family of linear operators Ez on Ti such that Ylz&z ^zEz = id. Then, the 
density operator a = £{p) resulting from applying £^ to a density operator p 
is given by 

ct:=Y, EzPEl . 

zGZ 
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Lemma 3.17. Let p be a density operator on 7i and let a := £{p) be the 
density operator resulting from applying a quantum operation E = {Ez}zez 
to p. Then 

5{p,a)< ll-^ME,p)\^ . 

Proof. We first show that the assertion of the lemma holds if p = |i;^>)(i;^'| 
is a pm'e state. For z & Z, let pz ■= tT{EzpEl), 1^^) := -^Ez\4>), and 
CTz ■= \tpz){'4'z\- Note that pz G [0, 1], J2zPz = 

o- = '^Pz(^z ■ 

We can thus apply © yielding 

6{p,a)<Y,PzS{p,<Tz) . (10) 

z&Z 

Since, p = and cr^ = \ipz){ipz\ are pure states, it follows from ® that 



6{p, az) = VT^mhW = ^l-^MEzp)\^ . 
Combining this with ()1U() . we find 



6{p,a) < E^nA - -\^'(^^p)\' ^ JEp^i - -MEzpW) 



zez ' ^ z&z 

where the second inequality follows from the concavity of the square root 
and Jensen's inequality. This concludes the proof of the lemma for pure 
states p. 

To verify that the assertion of the lemma also holds for mixed states p, 
write p as a convex combination of pure states pw, i.e., p = Yl 
for appropriate qw G [0, 1] with J2wew1w = 1) and let £{pw) be the state 
resulting from applying the quantum operation £ on pw Then, since a = 
^(.P) = Y.w&w'iwSiPw), inequality © yields 



Sip,cr) < ^ qwSiPw,SiPw)) < ^ - ^ \tiiEzPw)\^ 

wew uiew y zez 

where the last inequality follows from the statement of the lemma applied 
to the pure states pw Using again Jensen's inequality, we obtain 



V zeZwew V z&z wew 



16 



which concludes the proof. □ 

We will now use Lemma ll-{.17l to derive a lower bound for the variational 
distance between two probability distributions in terms of the trace distance 
between two corresponding density operators. This is in a certain sense the 
converse of Lemma 13.141 

Lemma 3.18. Let T = {Fz}zez be an orthogonal POVM on a Hilbert space 
TC, let p G SiTi), let P := ^^(p), and let Q be a probability distribution on 
Z. Then there exists a G 5(7^) such that 

Q = iA<y) (11) 

and 

6{p,a) < y'2S{P,Q) . (12) 

In particular, 

b%jAp)) ^ lAB'^'ip)) ■ (13) 

Proof. From Lemma 13. 11 there exist random variables Z and Z' distributed 
according to P and Q, respectively, such that 

Prob[Z ^Z'] = 6 := 5{P,Q) . 

Let W := {{z, z')eZxZ:z^ z'}, let p,,,> := Pz'\z{z', z), and let {\z)},^z 
be an orthonormal basis of Tl such that Fz = \z){z\. Let 

and, for iz,z') £ W, 

be linear operators on TC. It is easy to verify that the family £ = {Eq} U 
{Ez^z'}(z,z')£W is a quantum operation, i.e., 

{z,z')ew 

Let 

a:=£{p) = E,pEl + ^ ^z^z'P^lz' 
{z,z')ew 
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be the quantum state resulting from applying E to p. It then follows from a 
straightforward calculation that 

7jf((t) = Pz' 

which implies since Pz' = Q- To show that also (|12j) holds, we use 
Lemma 13.171 yielding 



<5(p,a)< /l-|tr(Sop)P- ME.^z'P)? <^/l-MEop)\' . 

Since Pz = 7jf(p), we have 

tr(Sop) = v^7^(p)(^) > Y.Pz,zPziz) = Prob[Z = Z'] = 1 - 5 , 

ze2: z&z 

and thus 

a) < Vl - (1-5)2 = ^25 - 52 < ^25 . 

□ 

The entropy of a quantum state can be defined in terms of the entropy 
of a classical probability distribution. Let p be a density operator on a 
d-dimensional Hilbert space TC and let (Ai, . . . , A^) := X{p) be the d eigen- 
values of p. Note that there exists an orthonormal basis {|1), . . . of 
p (namely the eigenbasis) such that Aj = P{i) where P := Jj^{p) is the 
probability distribution of a measurement of p with respect to the POVM 
^ = {|1)(1|, . . . , In particular A(p) can be interpreted as a proba- 

bility distribution on {1, . . . , d}. 

The Renyi entropy (of order a) of a density operator p is defined by 
the Renyi entropy of \{p), i.e., Sa{p) '■= Ha{X{p)), for a G U {00}. In 
particular, for a = 1, S{p) := Si{p) is the von Neumann entropy of p. Note 
that, for a = 0, 

Soip) = log(rank(p)) . 

The smooth Renyi entropy for density operators can be defined by general- 
izing the classical Definition 13.51 

Definition 3.19. Let e > and a S TZ'^ U {00}. The e-smooth Renyi 
entropy of order a of a density operator p is defined by 

5,(/5) :=5r"(e^(p)) (fora>l) and S^ip) := Sf^'iB'ip)) (for a < 1) . 
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The following lemma is a direct consequence of Lemma [3.151 and the fact 
that the entropy functions —Ha are Schur-convex. 

Lemma 3.20. Let T he an orthogonal POVM on a d- dimensional Hilbert 
space. Then, for any density operator p G S{7i) and any a G U {00} , 

Saip) < HaMp)) ■ 

We often will use this result for the case a = 1. To simplify the notation, 

let 

SAp) := HMp))- (14) 

be the Shannon entropy of the outcomes when measuring a density operator 
p G S{7i) with respect to a POVM J^. If corresponds to a measurement 
in an eigenbasis of p, we obviously have S{p) = S'jr(p), and thus, from 
Lemma 13. '2()[ 

S{p) = niinS'jc-(p) (15) 

where the minimum is taken over all orthogonal POVMs in TC. 

The following lemma is an extension of Lemma I3.2UI to smooth Renyi 
entropy. 

Lemma 3.21. Let T be an orthogonal POVM on a Hilbert space TC. Then, 
for any density operator p G S{7i). Then, for any density operator p, a < 1, 
and e >0, 

sf'{p) < h^Mp)) ■ 

Proof. From Lemma 13.201 we have 

Sf~'{p)= inf Sa{a)< inf HMa)) . 

The assertion then follows from Lemma 13.181 

inf HaM^)) < ^ inf H4Q) = HUlAp)) ■ 

□ 



4 Main Result 

This section contains the main result of the paper, namely, an explicit ex- 
pression for the rate of secure quantum key distribution (cf. equation (|22]) ). 
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In the first part, we derive Lemma l4. II whicli says that the frequency distri- 
bution obtained when measuring the subsystems of an n-partite quantum 
state with respect to a certain POVM T can be estimated from the results 
obtained by applying another POVM ^ on a few randomly chosen subsys- 
tems. This is then used to show Lemma 14.21 which gives an upper bound 
for the Renyi entropy of order of the outcomes when applying the POVM 
T given only the outcomes of the measurements with respect to on a 
few (randomly chosen) subsystems. The result is then applied to bound 
the size (rank) of the n-partite quantum system given the outcomes of a 
measurement on a few subsystems fCorollarv 14. 3|) . 

In Sections IQ and Ol we review information reconciliation and the 
security of privacy amplification in the presence of a quantum adversary, 
respectively. These are main ingredients of the post-processing stage. 

In Section [4.41 we introduce the generic quantum key distribution pro- 
tocol and prove its security by combining the above mentioned results with 
the information reconciliation and privacy amplification to obtain our main 
result, i.e., the secret key rate (f^. 

4.1 Parameter Estimation 

Let be a Hilbert space, let p G S{Ti.'^'^), let a C and let 

jr = {FJ^62 be a POVM on H. Then r^(p) denotes the |a|-tuple Z of 
outcomes resulting from applying to p on Tia, where Tia is the tensor 
product of the factor spaces 7ii, for i £ a. 

Lemma 4.1. Let p G S{TC'^^) be an n-partite state with density range IZ C 
S{n), let T = {Fz}zez and T = {Fz}z^z two POVMs on H, and let A 
he a p-random selection on {1, . . . ,n}. Let := T^(p) and Z^ := r^(yo) 
be the outcomes when measuring p in TLa and Ti^ with respect to T and T , 
respectively. Then, for any e > 0, 

Prob[3p G n : p 6{Qz^,jAp)) + - P) S{Qz^,7Ap)) < e] > I - 

2 

where p := 2l^l+l^le~^. 

Proof. Let G be the POVM on 7i obtained by combining and with 
probability p and l-p, respectively, i.e., G := {G(^^^r)}(z,r)e(zuz)x{o,i} with 
^(^,1) := pFz and G(^z,o) •= (1 ~ p)Fz- Let W := Tg{p) be the n-tuple 
of outcomes {Zi,Ri) when measuring p with respect to Q. The random 
variables occurring in the lemma can then equivalently be defined by ^ := 
{i : Ri = 1}, Za ■= {Zi, . . . , Zn)A, and := {Zi, . . . , Zn)A- 
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The probability range of the n-tuple W is contained in V := ^gij^)- We 
can thus apply Lemma 13.41 for e := e/2 leading to 

Prob[Qw e B^{V)] > 1 - /i . 

Let z G (2^ U Z)'^ and a C {1, . . . ,n} such that the n-tuple w of values 
Wi = izi,Xa{i)) satisfies £ B%V), i.e., 

S{Q^,-fg{p))<e/2 

for some p TZ. It remains to be shown that this implies 

pS{Q.^nAp)) + a-p)s{Q^-anAp))<^ ■ (16) 

Let {Z, R) and {Z' ,R!) be two pairs of random variables distributed accord- 
ing to 7g(/o) and Qw, respectively. It follows from the construction of the 
POVM Q that Pr = P^'^, Pz\R=i = iAp), and Pz\r=o = iAp). More- 
over, by the definition of the frequency distribution, Pz'\r'=i = Qza ai^d 
Pz'\R'=o = Qz-a- Hence, using ©, 

p5{im.Q^.) + {'^-p)^{lf{p).Q^.) = ER[Pz\R{-,R).Pz'\R'{-,R)] 

< 25{PzR,Pz'R') = 25(7g(p),Qw) < e . 

which implies (|16() and thus concludes the proof. □ 

Lemma 4.2. Let p G 5(7^®") be an n-partite state with density range TZ C 
S{n), let T = {Fj^e^ and f = {F^}^(.z be two POVMs on H, let A be 
a p-random selection on {!,..., n}, and let Zia '■= T^(p), := T^(p). 
Then, for any e > 0, there exists a real valued function p with 

E[piQ^,,A)]<2\^\-^\^'\e-^ 
such that, for any probability distribution Q on Z and any a C {1, . . . 

H^^'^'''\Za\Qz^ =Q,A = a)< |a|i7--(e(Q)) + log(|a|)(|J| - 1) , 
where B{Q) := e,/(l_p)(7^(7^ n 7^'(%p(Q)))). 

Proof. Let W be the set of pairs (z, a) consisting of an n-tuple z of elements 
from Z L) Z and a subset a C {1, . . . ,n} such that there exists a density 
operator p gTZ satisfying 

p5(Qz„,7^(/o)) + (l-p)5(Qz,,7^(/5)) ■ 
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For any probability distribution Q on Z and any a Q {1, . . . ,n}, let 

C{Q,a) := {za : (z, a) e W and Qz, = Q} ■ 

We first show that 

log(|C(Q,a)|) < |a|F--(S(Q)) + log(|a|)(|Z| -1) , (17) 

for any Q and a. It follows from the definition of the set C{Q,a) that 
for any z' £ C{Q,a) there exists p £ TZ such that 6{Q,'yjr{p)) < e/p and 
^{Qx' -.igip)) < — p) • which directly implies Qz' G ^{Q) and thus 

Hence, by Definition I3.1U1 z' is contained in the r- typical set T^{r) for 
k := \a\. By Lemma [^11 1 1 the size of T^ir) can not be larger than 2'^''|a|l^l~^, 
from which (|17|) follows. 

Lemma 14.11 gives a lower bound for the probability that (Z, A) is con- 
tained in W, 

Prob[(Z,yl) G W] > 1 - 2l^l+l^le"^ . 
Let the function p be defined by 

p{Q,a) := l-Prob[Z^ G C(Qz^,A)|Qz^ =Q,A = a] . 

Then, since Prob[Z^ G C(Qza,^)|] > Prob[(Z, A) G W], we obtain 

E[/i(Qz^,^)] = 1 - Prob[Z^ G C(gz^,yl)|] < 2256-^1^ . 
On the other hand, from Lemma 13.61 

^M4a)(2^|2^ = Q, A = a) < log(|C(Q,a)|) 
for any Q and a. Combining this with H17() concludes the proof. □ 

Corollary 4.3. Lei p G 6e an n-partite state with density range 

TZ C S{7i), let T = {Fz}zez be a POVM on 7i, let T he an orthogonal 
POVM on 7i, and let A he a p-random selection on {1, . . . ,n}. Let Z^ := 
r^(/9) he the outcomes when measuring p in Ha with respect to T and let 
Pa he the remaining quantum state in TCa- Then, for any e > 0, there exists 
a real valued function p with 

dim(H) + |Z „e2 

E[p{Qz^,A)] < 2 2 e- — 
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such that, for any probability distribution Q on Z and any a C {1, . . . 

S^^'^'^\pA\Qz^ = Q,A = a) < |a|//--(e(g)) + log(|a|)(dim(W)-l) , 
where B{Q) := %(l_p)(7^(7^ n 7^'(fi./p(g)))). 

Proof. Since the POVM ^ = {Fz}z^z orthogonal, we have \Z\ = dim{TC). 
According to Lemma 14.21 there exists a function fl satisfying 

such that 

H^^'^'''\Qz,\Qz^=Q,A = a) < |a|F--(^(Q)) + log(|a|)(dim(H)-l) 

(18) 

holds. Let the function fi be defined by fi{Q,a) := ^jrpij^^^. Using 
Jensen's inequality, we obtain 

i?[^(Qz^,yl)] < ^2E[li{Q'z^,A)\ < 'f'^'T^^^e-^ . 
On the other hand, since J- is orthogonal. Lemma 13.211 implies that 

S^^^'''\pa\Q'La =Q.A = a)< iif^^''\T.A\Q'L^ = Q,A = a) 
for any Q and a which, together with (|18)) . concludes the proof. □ 

Corollary 4.4. Let Z be a set and let A be a p-random selection on {1, ... ,n} 

Then, for any n-tuple Z of random variables with range Z and any e > 0, 
there exists a real valued function /x with 

£;[MQz^,A)] <22|^le-^ 
such that, for any probability distribution Q on Z and any a C {1, . . . 

H^^^'^'HZaIQz^ =Q,A = a)< \a\H'^^^{B'M^-P\Q)) + log{\a\){\Z\ - 1) . 

Corollary 4.5. Let X and Y be n-tuples of random variables with range X 
and y , respectively, and let A be a p-random selection on {1, . . . , n}. Then, 
for any y G y" and e > 0, there exists a real valued function fj, with 
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such that, for any channel Q from y to X and for any set a Q {1, . . . ,n}, 

^g^Y = y,^ = a) <n(r+e|3;|log(|A'|))+log(n)(|A'|-l) . 

where 

y&y 

Proof. Let y' be the subset of y containing all values y such that Qy{y) > 
en. For any y G y, let 

ay ■■= {i-yi = y} , 

and, for any y G y' , let fiy be the function defined by Corollary 14.41 ap- 
plied to the tuple '^ay In particular, we have, for y G y' , any probability 
distribution Q' on X, and any a C {1, . . . , n}, 

hy := ^o''"^'^''"''"''^X^naJQx^n„, =Q',A = a)< |a,| r^ + log{n){\X\ - 1) . 
where := H'^^'' {B' M^~p\Q)) . On the other hand, for y G 3^ - y , let 

hy := HoiX^naJQ^Anay =Q',A = a)< |a,| log(|^|) < nelogi\X\) 
Applying Lemma 1X71 yields 

i/o''^^''^^(XAlQx^|Y^ =Q,Y = y,A = a)<^hy 

y&y 

for 

n{Q,a) := ^ i2y{Q{-\y),anay) 
from which the assertion follows. □ 
4.2 Information Reconciliation 

Lemma 4.6. Let Z be a random variable with Hq{Z) < r and let F be a 
two-universal hash function from Z to {0, 1}^. Then there exists a guessing 
function g such that 

Prob[ff(F, F{Z)) = Z]>1- 2~^'~'''> + e 

For a proof, see e.g. |34j . 
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4.3 Privacy Amplification Against Quantum Adversaries 

We will use the following theorem proven in PP. 

Theorem 4.7. Let Z he a random variable with H^(Z) > n and let p G 
S{7i) be a density operator with Sq (p) < r which depends on X . Let F be 
a two-universal hash function from Z to {0, 1}* and let W := Tg(p) be the 
outcome of a measurement of p with respect to an arbitrary POVMQ which 
might depend on F . Then 

o _ _ 

d{F{Z)\WF) < -2'^^ +e + e' . 

4. 4 A Generic Quantum Key Distribution Protocol 

In this section, we will describe the generic protocol and apply the results 
from the previous sections to prove its security. To enhance the readability 
of this exposition, we will restrict our attention to the asymptotic behavior 
of the relevant quantities. The exact statements about eventual constants 
may be taken directly from the lemmas that we refer to. 

Let p he a density operator on {Ha ® Wb)®". Let T and G be two 
POVMs on Ha and let J" and G' be two POVMs on Hb- Let T and T' 
be two p-random selections on {1, . . . , n}. For any i £ {1, . . . , n} , let Xi he 
the outcome of a measurement of the subsystem {TLA)i with respect to 
if i £ T, or with respect to Q, otherwise. Similarly, let Yi be the outcome of 
a measurement of {TCB)i with respect to J^' , if z e T', or with respect to Q' , 
otherwise. Let be a p-random selection on Ta- 

For the following asymptotic analysis, we assume that p = B(n^") for 
some a £ (0, 1). In particular, pn grows less than linearly in n. 

4.4.1 Parameter Estimation 

The goal of this protocol phase is to estimate the parameters used for the 
subsequent information reconciliation and privacy amplification phase. In 
particular, Alice and Bob have to determine the minimum length r of the 
error correcting information needed and the maximum length s of the final 
key such that it is guaranteed to be secure. 
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Alice Bob 

s, r, X = (Xi, . . . r,Y = (n, . . . , y„) 

TZ := 7^(X'rnT', YrnT') 

r := \nH{X\Y)] 
t := lnH{X)\ 
, u:= [nmax^g7^S'(/5)] 



s := t — r — u 



V' . "Y" V ■ "V 



The functions Q s-nd TZ are defined as follows. Let x = (xi, . . . , Xk) and 
y = {ui, . . . ,yk) be two /c-tuples. Then (5(x, y) is the frequency distribu- 
tion Qz of the /c-tuple z = . . . , {xk,yk))- Similarly, TZ := 7?.(x, y) 
is the set of density operators on Ti.A Ti-B such that the outcomes of a 
measurement of any p £ TZ with respect to J- ®J-' are distributed according 
to(5(x,y). _ 

Note that T HT' is a p^-random selection on {1, . . . , n} and that S HT' 
is a — p)-random selection on {1, . . . , n}. Corollary 14.41 implies that 

Fg(X'| Y = y,C)< ^o'(X^) = nH{X\Y) + o(n) (19) 

holds for £ exponentially small in n. Similarly, Lemma 13.91 implies 

H'^{X'\C) = H'^CX^) + o(n) = nHiX) + o(n) . (20) 

4.4.2 Information Reconciliation 

Let n' := n — IS" U T U T'| be the length of the tuples X' and Y', and let, 
for some r' < n' , Tir' ■= T-L{X^ — > {0, 1}'" ) be the set of two-universal hash 
functions mapping X' to r' bits. 

Alice Bob 

F £r Hr' P^F'iX.') ^ g^^^^ ^, ^^^^ Y' 

It follows from Lemma 14.61 and ()19|) that for some r' = r + o(n) < 
nH {X\Y) + o{n) , X' = X' holds except with probability exponentially small 
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in n. Moreover, since F is independent of X' and since Ho{F(X')) = r' , 
Lemma 13.81 together with ()2Up impHes 

HiiX.'\C, C) > H^^{X'\C) -t' + o{n) = nH{X) - r' + o{n) (21) 

where C := {F, F(X.')) are the messages sent by Ahce during the informa- 
tion reconcihation protocol. 



4.4.3 Privacy Amplification 

Let V be the set of permutations of the n' elements of X' and for some s' < n' 
let Tig' '■= 7i{X^ {0, 1}* ) be a two-universal hash function mapping X' 
to s' bits. 

Alice Bob 

Per,GeRns' ^ — - 

S := G(X') S' := G(P(X')) 



Since X' = X" holds except with probability exponentially small in n, 
we have S = S' . 

It follows from Corollarv 14.31 and ()21() that for some s' = s + o(n), 
H^{X.'\C,C') - H^{p) -s' > nH{X) - r' - nmax5(/5) - s' + o(n) 

is smaller than zero. Theorem 14.71 thus implies that the knowledge of Eve 
about the key S is negligible. 

Note that the length s' of the final key is t — r — u + o{n). The rate R 
of this generic protocol is thus given by 

R = I{X;Y) -max S{p) . (22) 

Note further that we can carry out the same analysis for the difference 
H^{X.'\C, W) - H^ip\W) where we condition on additional information W. 
This might improve the rate R with a clever choice of the information W as 
we will see in the next section. 



5 Examples 

In the following we will illustrate our result by calculating the secret key 
rate and the tolerable error rates for common quantum key distribution 
protocols. 
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5.1 BB84 (The Four-State Protocol) 

The BB84 quantum key distribution protocol belongs to the class of 
so-called prepare and measure protocols. In this protocol, Alice chooses 
randomly, with probability (1— p), the first out of a set of two conjugate bases 
of a qubit, the second basis is chosen with probability p. She then prepares 
one of the orthogonal basis states, each chosen with equal probability, and 
sends the quantum state to Bob. ^ 

The BB84 protocol can be regarded as an entanglement based protocol 
and is in this version known as BBM92 j^. The preparation stage on Alice's 
side is then given by a measurement on one half of an entangled quantum 
state whose second part is sent off to Bob. The relevant quantum state p 
is a two qubit state, p E S{C'^ C^) and we denote measurement basis one 
by {|0),|1)} and basis two by {|+),|-)}, where |±) := ^(|0)±|1)). It 
is understood that e.g. (01|/9|01) corresponds to the probability that Alice 
obtains outcome and Bob outcome 1 when both choose to measure in the 
first basis. We further identify |+) with outcome and |— ) with outcome 1. 

After the phase, where the transmission of the quantum states and the 
measurements have been finished, both parties publicly announce the bases 
in which they conducted their measurements. They discard the cases in 
which they did not measure in the same basis. On a small subset of the 
remaining data, they compare a small part of the string to obtain an estimate 
of the error rate. Let us assume that the error rate for measurements in both 
basis are the same and equal to e. If this is not the case, Alice and Bob can 
always randomly flip some of the bits of the set with the lower error rate in 
order to make the error probabilities of both sets equal. 

The entropy of Alice's string X equals H{X) = 1 and the conditional en- 
tropy of X given Y is given by H{X\Y) = h[e). The von Neumann entropy 
of p can be estimated as follows. Note that for all projective measurements 
on p with outcome given by a random variable Z, H{Z) > S{p). Using 
Alice's and Bob's data, we want to construct the data that a Bell measure- 
ment, saved in the random variable Z had resulted in. Let us define the Bell 
states 

|V^±) = -^(|00)±|11)) and |</<±) = i=(|01)±|10)) 

^The original proposal by Bennett and Brassard fixes p = i. A more efficient protocol, 
which achieves twice the key generation rate of the original proposal, can be obtained 
by choosing the two bases with different probabilities |85| . We choose p — B(n^"), for 
a G (0, 1) and n the number of transmitted qubits (see also section ^IJ . 
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and express the probabilities of Z, denoted by Aj, in terms of the prob- 
abihties of measurements in basis one and basis two: 



Ai := {^+\p\^+) = {+ + \p\++) + {--\p\--)-{^+\p\^+) (23) 

A2 := (V'~|p|^~> = (+-|p|+-) + (- + |p|-+)-('^"|p|'/'") (24) 

A3 := (0+|/5|</.+ ) = (Ol|p|Ol) + (lO|p|lO)-(r|p|r) (25) 

A4 := ■ (26) 

The symmetric error probabihty e yields 



(00|HOO) + (ll|p|ll) = l-e 

{+ + \p\ + +) + {--\p\--) = 1-6 

{+-\p\ + -) + {- + \p\-+) = e 
(01|p|01) + (10|p|10) = e 

and can be inserted into eqs. (|^H|) - H26() . We obtain 

A3 = e-A4 (27) 
A2 = e-A4 (28) 
Ai = 1 - e - A3 = 1 - 2e + A4 . (29) 

It remains to find the value of the free parameter A4 G [0, e] such that 
H{Z) is maximized. It can easily be shown that this is the case for A4 = 
with H{Z) = 2h{e). 

The rate R of the protocol according to eq. (|22j) is given by 

R = H{X) - H{X\Y) - H{Z) = 1 - 3/i(e) 

The security threshold is the highest value of e such that the rate R is 
positive and is henceforth the solution to the equation 1 — 2>h{e) = 0. We 
obtain e ~ 0.061 which corresponds to a 6.1% bit error rate. Conversely, 
there exists a quantum state p for which this rate is achieved and it is given 
by the mixture 

p = Ai|V+)(V+l + A2|V")(^"I + A3|'/'+)(</'+| + A4|r)(n (30) 

Making use of the remark at the end of section l4.4.31 we can improve this 
security threshold. To do so, we introduce a random variable W = X @Y , 
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which contains the information about the error positions. The min entropy 
of the string X does not decrease, whereas the size of the quantum data 
does, thus improving the key rate R. This can be seen as fohows: given 
the fact that Ahce and Bob measured in bases number one/two and that an 
error/no error and has occurred, the quantum system can be divided into 
4 subsystems. The subsystems in the case of one error /no error contain a 
fraction of | and of the total number of qubits, respectively. For each 
of the systems the entropy can be estimated separately. If no error occurred 
we obtain /t( 1-2^+^4 ^ ^nd if an error occurred we get h{^^). A vera King 
over the four systems gives 

(1 - e)h (^^) + eh (i^) = HiZ) - hie) 

The key rate for BB84 is thus given by i? = 1 — 2h(e) and the security 
threshold e ~ 0.1100 is the solution to the equation 1 — 2h{e) = 0. The same 
rate has previously been obtained by Shor and Preskill (19j . 

5.2 The Six-State Protocol 

The six-state protocol |37| I38j is similar to the BB84 protocol, but makes 
use of a third basis on either side. This additional basis is defined as 
{-1=(|0) + -^(|0) - "ijl))} and conjugate to the other bases ^. This 
protocol admits higher symmetry, since the six states that are sent are sym- 
metrically distributed on the Bloch sphere. Similarly to the derivation of 
eqs. (|77j) - (0^ . we easily derive the following additional constraint on the 
eigenvalues 

A3 = e — A2 

which results in Ai = 1 — 3/2e and A, = e/2 for i G {2,3,4} corresponding 
to a security threshold of 6.8% with corresponding state 



p = Ai|^+)(V+| + A2|V-)(V'-|+A3|0+)(0+|+A4|r)(n (31) 
= (l-2e)|^+)(V+|+2ei (32) 

Another way to derive this result uses the average fidelity F of a qubit 
quantum channel. It can be shown j39j to be equal to the average fidelity 
of the six states. Here, the fidelity of each state equals 1 — e and therefore 

^Note that we can choose bases two and three e.g. with probabihty | each 
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F = 1 — €. F and the entanglement fidelity F^ are related by the formula 
-Fe = |in] which also leads to the 6.8% by use of the quantum Fano 
inequality. 

The given bounds for BB84 and the six-state protocol on the maximal 
entropy of p are optimal, since Eve can simply prepare the state eq.(|3()|). 
Even if we consider Alice preparing the particles and sending them off to 
Bob, we cannot achieve a better bound. This is because the state eq. (|nn|) 
can be effected by Eve with the following strategy: apply the Pauli matrix 
az with probability A2 {cry with A3 and ax with A4) on the sent quantum 
state and with probability Ai take no action. 

By conditioning on the random variable W = X (BY, however, we can 
improve the security threshold in a similar manner as we did in the BB84 
analysis. This leads to a value of e ~ 0.1262 for the six-state protocol, which 
coincides with the result of an earlier calculation by Lo ^IT based on a result 
by Bennett et al. 02]. 

5.3 B92 

In 1992, Bennett suggested a protocol for quantum key distribution that 
belongs to the class of prepare and measure protocols differs, however, sig- 
nificantly from BB84 and the six-state protocol. In the specification of the 
protocol, known as B92, Alice sends one of two non-orthogonal quantum 
states, which we will denote by \u±), to Bob. He chooses randomly to mea- 
sure in one of two von Neumann measurements. The first measurement 
consists of the vectors {|n_), |n_)}, where is orthogonal to \u-). Simi- 
larly, the second measurement is given by |n+)} with \u+) orthogonal 
to Bob announces acceptance if he obtains outcomes corresponding to 
\u±), otherwise both parties discard the values that they recorded. 

Alice records the bit value 0/1 if she sends |u+)/|n_) and Bob jots down 
the value 0/1 if he obtains |n_)/|n+). We will assume throughout the anal- 
ysis that Alice sends each quantum state with equal probability and Bob 
chooses randomly and with equal probability between his two measurements. 

Note that in the case of perfect transmission, the strings, conditioned 
upon acceptance are identical and randomly distributed. We will now pro- 
ceed to show how one can apply our generic security proof to this specific 
protocol in the presence of noise. To do so, we need to estimate the ex- 
pressions in H22|) where TZ is the sets of possible quantum states conditioned 
on the event that Alice and Bob accept. As in the analysis of BB84 and 
the six-state protocol, we will condition on an additional random variable, 
which equals the XOR of Alice's and Bob's bits after acceptance. 
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For the following analysis, let p^y for x,y £ {0,1}, be the probability 
that Alice and Bob accept a particle and that they have the bit values x 
and y, respectively. We can without loss of generality assume that poo = pu 
and pqi = pio (Alice and Bob can simply abort the protocol if this is not 
the case). 

Let {|0), |1)} be an orthonormal basis and write 

\u±) = I3\0) ±a\l) 
|n±) =a|0) T/3|l) 

with a E ^) ~ — d'^- The interaction of the transmitted 

quantum states with the environment or a possible eavesdropper, Eve, is 
given by 

|n±)|e) ^ := Vr^\u±)\e±) + ^\u±)\e±) , (33) 

where 6 = 4poi = 4pio. (Note that the factor 4 results from the random 
choices of Alice and Bob.) 

The evolution in equation eq. (|33|) is unitary which implies the important 
constraint 

{u+\u.) = {^+\^-) . 
This constraint reads in its expanded form 

/?2 _ ^2 = (1 _ 5)(/j2 _ ct2) ( e+ I e_ ) 



+ V(l -5)6 2af3i{e+\e^) + {e+\e-)) (34) 

Without loss of generality we can take ( e+ | e_ ) to be real. Eve's quantum 
states, given the outcome was accepted by Bob and that Alice and Bob 
have the same bit value, are denoted by In the case of an error and 

acceptance, we write |/±), where it denotes Alice's bit value 0/1. One easily 
obtains 

I,, _ ( I ^± ) _ VT^ 2aP\e±) + VSja^ - (3^)\e±) 

\J±) ■— p — 7= I'J'^J 

l/±) := = |e±) (36) 

where 7 = 4poo = 4:Pii is given by the probability that Alice and Bob have 
a correct value. 



7 = (1 - 25){2a(3f + 2^(1 - 5)52a(3{a'^ - (3'^)Re {e±\e±) + 6 . (37) 
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Eve's density matrices, conditioned on the correctness/ falseness of the ac- 
cepted bit, are given by 



^ ■■= hi\u)iu\ + \f-)if-\) 

a := i(|/+)(/+| + |/.)(/_|) = i(|e+)(e+| + |e_)(e_|) 

and have eigenvalues ^^1^-^+ I )l and MK£±i£zLli^ respectively. Every esti- 
mate for the scalar products ( /+ | /- ) and ( e+ | e_ ) thus leads to an esti- 
mate of the entropy of a and a. ( /+ | /- ) takes the form 

- 

where we made use of eq. (jSU to simplify the expression in the nominator. 

It thus remains to find an estimate for ( e+ | e_ ) . This will be done by 
use of the unitarity constraint, eq. (|34|). In particular, we can choose S such 
that ( e+ I e_ ) is sufficiently close to one. For small Re ( e-t | e-t ) , we thus 
derived lower bound on the scalar product ( /_|_ | /_ ) . Note that 5 and 7 
can be derived from the probabilities pxy which are determined by Alice and 
Bob. Together with eq. (|57j) . this gives an estimate for Re ( e-t | e-t ) . Using 
the trivial bound S{a) < 1, this suffices to find a bound for the rate of B92 
according to eq. (221) • 

As a specific example let us consider the depolarizing channel 

{l-p)p + ^Y^ (Jipai . 

i 

It is easy to compute the quantities pxy for this channel. In particular, we 
obtain 



and 



1, 4 , , ^,0 2 
Poo = pii = -(1 - -p){2al3) + -p 



i.e., 6 = |p. Using eq. (|57|) and 7 = 4poo = 4pii, we have Re ( e-t | e± 
The error rate conditioned on acceptance, is thus given by 

with T] := {2al3f . 



(1 - 25)?? + 26 



From Re ( e+ | e+ ) = follows Re ( e+ | e_ ) < y^l — | ( e+ | e_ ) p which we 
insert into eq. 1)341) . We therefore have an estimate of the terms proportional 
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to For the third term of the right hand side of eq. H34|) , we use take the 
trivial estimate Re ( e+ | e_ ) > —1. Altogether we have 

v{l-{e+\e.)f<l-{e+\e.f w\th v := " '^^ " ^) . 

The valid solutions of this quadratic expression are given by 

(e+|e_) > 



and directly lead to an estimate for S{(t). Using S{a) < 1 we obtain an 
estimate for the entropy of the quantum state of Alice and Bob conditioned 
on the random variable W . The total rate is given by 

where 

(l-5<5)(l-<5)r?(l-77) 



X 



(5 + (l-25)r?)((l-<5)-(l-5%) 



The highest security threshold p is obtained for a ~ 0.38 and equals 
p ~ 0.036. This is a slight improvement of the previously obtained security 
threshold p ~ 0.034 by Tamaki, Koashi and Imoto [?!) . 



6 Conclusion 

In this paper we have presented a security proof for a generic quantum key 
distribution protocol. The protocol requires only single particle measure- 
ments on Alice's and Bob's sides and uses one-way information reconcilia- 
tion and privacy amplification to extract a secret key from the raw data. In 
our proof we estimate the amount of classical correlation contained in Alice's 
and Bob's data and derive a bound on the quantum information, which a 
possible adversary might have about this data. Subsequently, we apply a 
recent result by Konig, Maurer and Renner ^ to ensure the security of the 
privacy amplification stage. 

Special cases of our protocol include entanglement based quantum key 
distribution, such as E91, and prepare and measure schemes, such as BB84 or 
the six state protocol. We were able to derive security thresholds of 11.0% 
bit error rate for BB84 (four-state protocol) and 12.6% for the six-state 
protocol, previously obtained by Shor and Preskill, and Lo, respectively. 
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Furthermore we have shown how our technique can be apphed to prove the 
security of B92. In the case of the depolarizing channel this leads to a slight 
improvement of the security threshold that has been recently obtained by 
Tamaki, Koashi and Imoto. 
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